fix: Updates from plan validation

Author: bryantbiggs

README.md

@@ -56,22 +56,36 @@ Refer to the [EKS Managed Node Group documentation](https://docs.aws.amazon.com/
 ```hcl
   eks_managed_node_groups = {
     custom_ami = {
-      ami_id = "ami-0caf35bc73450c396"
+      ami_id   = "ami-0caf35bc73450c396"
+      ami_type = "AL2023_x86_64_STANDARD"
 
       # By default, EKS managed node groups will not append bootstrap script;
       # this adds it back in using the default template provided by the module
       # Note: this assumes the AMI provided is an EKS optimized AMI derivative
       enable_bootstrap_user_data = true
 
-      pre_bootstrap_user_data = <<-EOT
-        export FOO=bar
-      EOT
-
-      # Because we have full control over the user data supplied, we can also run additional
-      # scripts/configuration changes after the bootstrap script has been run
-      post_bootstrap_user_data = <<-EOT
-        echo "you are free little kubelet!"
-      EOT
+      cloudinit_pre_nodeadm = [{
+        content      = <<-EOT
+          ---
+          apiVersion: node.eks.aws/v1alpha1
+          kind: NodeConfig
+          spec:
+            kubelet:
+              config:
+                shutdownGracePeriod: 30s
+                featureGates:
+                  DisableKubeletCloudCredentialProviders: true
+        EOT
+        content_type = "application/node.eks.aws"
+      }]
+
+      # This is only possible when `ami_id` is specified, indicating a custom AMI
+      cloudinit_post_nodeadm = [{
+        content      = <<-EOT
+          echo "All done"
+        EOT
+        content_type = "text/x-shellscript; charset=\"us-ascii\""
+      }]
     }
   }
 ```
@@ -115,7 +129,7 @@ Refer to the [Self Managed Node Group documentation](https://docs.aws.amazon.com
 ```hcl
   kubernetes_version = "1.33"
 
-  # This self managed node group will use the latest AWS EKS Optimized AMI for Kubernetes 1.27
+  # This self managed node group will use the latest AWS EKS Optimized AMI for Kubernetes 1.33
   self_managed_node_groups = {
     default = {}
   }
@@ -152,7 +166,7 @@ For example, the following creates 4 AWS EKS Managed Node Groups:
 
 ```hcl
   eks_managed_node_group_defaults = {
-    ami_type               = "AL2_x86_64"
+    ami_type               = "AL2023_x86_64_STANDARD"
     disk_size              = 50
     instance_types         = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
   }
@@ -166,9 +180,8 @@ For example, the following creates 4 AWS EKS Managed Node Groups:
       instance_types = ["c5.large", "c6i.large", "c6d.large"]
     }
 
-    # This further overrides the instance types and disk size used
+    # This further overrides the instance types
     persistent = {
-      disk_size = 1024
       instance_types = ["r5.xlarge", "r6i.xlarge", "r5b.xlarge"]
     }
 

docs/compute_resources.md

@@ -12,23 +12,36 @@
 
 `disk_size`, and `remote_access` can only be set when using the EKS managed node group default launch template. This module defaults to providing a custom launch template to allow for custom security groups, tag propagation, etc. If you wish to forgo the custom launch template route, you can set `use_custom_launch_template = false` and then you can set `disk_size` and `remote_access`.
 
-### I received an error: `expect exactly one securityGroup tagged with kubernetes.io/cluster/<NAME> ...`
+### I received an error: `expect exactly one securityGroup tagged with kubernetes.io/cluster/<CLUSTER_NAME> ...`
 
-By default, EKS creates a cluster primary security group that is created outside of the module and the EKS service adds the tag `{ "kubernetes.io/cluster/<CLUSTER_NAME>" = "owned" }`. This on its own does not cause any conflicts for addons such as the AWS Load Balancer Controller until users decide to attach both the cluster primary security group and the shared node security group created by the module (by setting `attach_cluster_primary_security_group = true`). The issue is not with having multiple security groups in your account with this tag key:value combination, but having multiple security groups with this tag key:value combination attached to nodes in the same cluster. There are a few ways to resolve this depending on your use case/intentions:
+⚠️ `<CLUSTER_NAME>` would be the name of your cluster
 
-⚠️ `<CLUSTER_NAME>` below needs to be replaced with the name of your cluster
+By default, EKS creates a cluster primary security group that is created outside of the module and the EKS service adds the tag `{ "kubernetes.io/cluster/<CLUSTER_NAME>" = "owned" }`. This on its own does not cause any conflicts for addons such as the AWS Load Balancer Controller until users decide to attach both the cluster primary security group and the shared node security group created by the module (by setting `attach_cluster_primary_security_group = true`). The issue is not with having multiple security groups in your account with this tag key:value combination, but having multiple security groups with this tag key:value combination attached to nodes in the same cluster. There are a few ways to resolve this depending on your use case/intentions:
 
 1. If you want to use the cluster primary security group, you can disable the creation of the shared node security group with:
 
 ```hcl
-  create_node_security_group            = false # default is true
-  attach_cluster_primary_security_group = true # default is false
+  create_node_security_group = false # default is true
+
+  eks_managed_node_group_defaults = {
+    attach_cluster_primary_security_group = true # default is false
+  }
+  # Or for self-managed
+  self_managed_node_group_defaults = {
+    attach_cluster_primary_security_group = true # default is false
+  }
 ```
 
 2. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload.
 
 ```hcl
-  attach_cluster_primary_security_group = false # this is the default for the module
+  eks_managed_node_group_defaults = {
+    attach_cluster_primary_security_group = true # default is false
+  }
+  # Or for self-managed
+  self_managed_node_group_defaults = {
+    attach_cluster_primary_security_group = true # default is false
+  }
 ```
 
 In theory, if you are attaching the cluster primary security group, you shouldn't need to use the shared node security group created by the module. However, this is left up to users to decide for their requirements and use case.
@@ -58,6 +71,8 @@ If you require a public endpoint, setting up both (public and private) and restr
 
 The module is configured to ignore this value. Unfortunately, Terraform does not support variables within the `lifecycle` block. The setting is ignored to allow autoscaling via controllers such as cluster autoscaler or Karpenter to work properly and without interference by Terraform. Changing the desired count must be handled outside of Terraform once the node group is created.
 
+:info: See [this](https://github.com/bryantbiggs/eks-desired-size-hack) for a workaround to this limitation.
+
 ### How do I access compute resource attributes?
 
 Examples of accessing the attributes of the compute resource(s) created by the root module are shown below. Note - the assumption is that your cluster module definition is named `eks` as in `module "eks" { ... }`:
@@ -90,6 +105,10 @@ aws eks describe-addon-versions --query 'addons[*].addonName'
 
 ### What configuration values are available for an add-on?
 
+> [!NOTE]
+> The available configuration values will vary between add-on versions,
+> typically more configuration values will be added in later versions as functionality is enabled by EKS.
+
 You can retrieve the configuration value schema for a given addon using the following command:
 
 ```sh
@@ -286,7 +305,3 @@ Returns (at the time of writing):
   }
 }
 ```
-
-> [!NOTE]
-> The available configuration values will vary between add-on versions,
-> typically more configuration values will be added in later versions as functionality is enabled by EKS.

docs/faq.md

@@ -27,7 +27,7 @@ See the example snippet below which adds additional security group rules to the
 ```hcl
   ...
   # Extend cluster security group rules
-  cluster_security_group_additional_rules = {
+  security_group_additional_rules = {
     egress_nodes_ephemeral_ports_tcp = {
       description                = "To node 1025-65535"
       protocol                   = "tcp"

docs/network_connectivity.md

@@ -10,7 +10,8 @@ Users can see the various methods of using and providing user data through the [
   - AMI types of `BOTTLEROCKET_*`, user data must be in TOML format
   - AMI types of `WINDOWS_*`, user data must be in powershell/PS1 script format
 - Self Managed Node Groups
-  - `AL2_x86_64` AMI type (default) -> the user data template (bash/shell script) provided by the module is used as the default; users are able to provide their own user data template
+  - `AL2_*` AMI types -> the user data template (bash/shell script) provided by the module is used as the default; users are able to provide their own user data template
+  - `AL2023_*` AMI types -> the user data template (MIME multipart format) provided by the module is used as the default; users are able to provide their own user data template
   - `BOTTLEROCKET_*` AMI types -> the user data template (TOML file) provided by the module is used as the default; users are able to provide their own user data template
   - `WINDOWS_*` AMI types -> the user data template (powershell/PS1 script) provided by the module is used as the default; users are able to provide their own user data template
 
@@ -24,9 +25,24 @@ When using an EKS managed node group, users have 2 primary routes for interactin
 
    - Users can use the following variables to facilitate this process:
 
-     ```hcl
-     pre_bootstrap_user_data = "..."
-     ```
+    For `AL2_*`, `BOTTLEROCKET_*`, and `WINDOWS_*`:
+    ```hcl
+    pre_bootstrap_user_data = "..."
+    ```
+
+    For `AL2023_*`
+    ```hcl
+    cloudinit_pre_nodeadm = [{
+      content      = <<-EOT
+        ---
+        apiVersion: node.eks.aws/v1alpha1
+        kind: NodeConfig
+        spec:
+          ...
+      EOT
+      content_type = "application/node.eks.aws"
+    }]
+    ```
 
 2. If a custom AMI is used, then per the [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami), users will need to supply the necessary user data to bootstrap and register nodes with the cluster when launched. There are two routes to facilitate this bootstrapping process:
    - If the AMI used is a derivative of the [AWS EKS Optimized AMI ](https://github.com/awslabs/amazon-eks-ami), users can opt in to using a template provided by the module that provides the minimum necessary configuration to bootstrap the node when launched:

docs/user_data.md

@@ -60,7 +60,7 @@ resource "aws_eks_cluster" "this" {
     content {
       enabled       = compute_config.value.enabled
       node_pools    = compute_config.value.node_pools
-      node_role_arn = try(compute_config.value.node_pools, []) > 0 ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
+      node_role_arn = compute_config.value.node_pools != null ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
     }
   }
 
@@ -283,14 +283,14 @@ resource "aws_eks_access_entry" "this" {
   for_each = { for k, v in local.merged_access_entries : k => v if local.create }
 
   cluster_name      = aws_eks_cluster.this[0].id
-  kubernetes_groups = each.value.kubernetes_groups
+  kubernetes_groups = try(each.value.kubernetes_groups, null)
   principal_arn     = each.value.principal_arn
-  type              = each.value.type
-  user_name         = each.value.user_name
+  type              = try(each.value.type, null)
+  user_name         = try(each.value.user_name, null)
 
   tags = merge(
     var.tags,
-    each.value.tags,
+    try(each.value.tags, {}),
   )
 }
 
@@ -403,12 +403,12 @@ resource "aws_security_group_rule" "cluster" {
   from_port                = each.value.from_port
   to_port                  = each.value.to_port
   type                     = each.value.type
-  description              = each.value.description
-  cidr_blocks              = each.value.cidr_blocks
-  ipv6_cidr_blocks         = each.value.ipv6_cidr_blocks
-  prefix_list_ids          = each.value.prefix_list_ids
-  self                     = each.value.self
-  source_security_group_id = each.value.source_node_security_group ? local.node_security_group_id : each.value.source_security_group_id
+  description              = try(each.value.description, null)
+  cidr_blocks              = try(each.value.cidr_blocks, null)
+  ipv6_cidr_blocks         = try(each.value.ipv6_cidr_blocks, null)
+  prefix_list_ids          = try(each.value.prefix_list_ids, null)
+  self                     = try(each.value.self, null)
+  source_security_group_id = try(each.value.source_node_security_group, false) ? local.node_security_group_id : try(each.value.source_security_group_id, null)
 }
 
 ################################################################################
@@ -733,7 +733,7 @@ resource "aws_iam_role_policy_attachment" "custom" {
 data "aws_eks_addon_version" "this" {
   for_each = var.addons != null && local.create && !local.create_outposts_local_cluster ? var.addons : {}
 
-  addon_name         = try(each.value.name, each.key)
+  addon_name         = coalesce(each.value.name, each.key)
   kubernetes_version = coalesce(var.kubernetes_version, aws_eks_cluster.this[0].version)
   most_recent        = each.value.most_recent
 }
@@ -743,7 +743,7 @@ resource "aws_eks_addon" "this" {
   for_each = var.addons != null && local.create && !local.create_outposts_local_cluster ? { for k, v in var.addons : k => v if !v.before_compute } : {}
 
   cluster_name = aws_eks_cluster.this[0].id
-  addon_name   = try(each.value.name, each.key)
+  addon_name   = coalesce(each.value.name, each.key)
 
   addon_version        = try(each.value.addon_version, data.aws_eks_addon_version.this[each.key].version)
   configuration_values = each.value.configuration_values
@@ -786,7 +786,7 @@ resource "aws_eks_addon" "before_compute" {
   for_each = var.addons != null && local.create && !local.create_outposts_local_cluster ? { for k, v in var.addons : k => v if v.before_compute } : {}
 
   cluster_name = aws_eks_cluster.this[0].id
-  addon_name   = try(each.value.name, each.key)
+  addon_name   = coalesce(each.value.name, each.key)
 
   addon_version        = try(each.value.addon_version, data.aws_eks_addon_version.this[each.key].version)
   configuration_values = each.value.configuration_values

main.tf

@@ -94,6 +94,7 @@ module "eks_managed_node_group" {
 | [aws_vpc_security_group_ingress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ec2_instance_type.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
+| [aws_eks_cluster_versions.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_versions) | data source |
 | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -117,7 +118,7 @@ module "eks_managed_node_group" {
 | <a name="input_cluster_auth_base64"></a> [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_ip_family"></a> [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no |
-| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `null` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_primary_security_group_id"></a> [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no |
 | <a name="input_cluster_service_cidr"></a> [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no |
 | <a name="input_cpu_options"></a> [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | <pre>object({<br/>    amd_sev_snp      = optional(string)<br/>    core_count       = optional(number)<br/>    threads_per_core = optional(number)<br/>  })</pre> | `null` | no |

modules/eks-managed-node-group/README.md

@@ -361,9 +361,16 @@ resource "aws_launch_template" "this" {
 # AMI SSM Parameter
 ################################################################################
 
+data "aws_eks_cluster_versions" "this" {
+  count = var.create && var.kubernetes_version == null ? 1 : 0
+
+  cluster_type   = "eks"
+  version_status = "STANDARD_SUPPORT"
+}
+
 locals {
   # Just to ensure templating doesn't fail when values are not provided
-  ssm_kubernetes_version = var.kubernetes_version != null ? var.kubernetes_version : ""
+  ssm_kubernetes_version = var.kubernetes_version != null ? var.kubernetes_version : try(data.aws_eks_cluster_versions.this[0].cluster_versions[0].cluster_version, "UNSPECIFIED")
   ssm_ami_type           = var.ami_type != null ? var.ami_type : ""
 
   # Map the AMI type to the respective SSM param path
@@ -737,7 +744,7 @@ resource "aws_vpc_security_group_ingress_rule" "this" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "this" {
-  for_each = { for k, v in local.security_group_egress_rules : k => v if length(local.security_group_egress_rules) && local.create_security_group }
+  for_each = { for k, v in local.security_group_egress_rules : k => v if length(local.security_group_egress_rules) > 0 && local.create_security_group }
 
   cidr_ipv4                    = each.value.cidr_ipv4
   cidr_ipv6                    = each.value.cidr_ipv6